Before choice words are posted in my direction with regards to information and diatribes on firewalls being previously posted, I shall admit, a host of information is available in this forum with respect to personal firewalls, however I am interested (and most likely others) in some good information which compares and contrasts Enterprise firewalls. I am looking for the good, the bad and the ugly so I don't have to work primarily off my bias (those that I have worked with and/or know how to set up) or information provided from vendor sponsored/advertising-driven magazines where the propoganda flows like 1943 Germany.

So, if you know of any good links, research papers or honest articles that involve Cisco PIX, Checkpoint, Raptor and the other big boys, please post them.

zac

Well, this is an interesting question.

I have not had the opportunity(yet) to work with Checkpoint's Firewall1, though I have been trying, and continue to try to get my company to purchase at least one FW-1 system to help us set up our DMZ with different firewall technology at each level.

I have, however, had quite a lot of experience with the Raptor Firewall( now known as Symor antec Enterprise Firewall).

As it is time for me to get some sleep, I will save most of my raves and rants about Raptor Firewall for posting here tomorow, but I will say two things, one good, one bad.

The application proxies that are implemented in Raptor Firewall V 6.5 have kind of astounded me. When Code Red came out, and then other similar pieces of malevelent code, such as nimda, the http proxy used in the raptor firewall prevented the compromise of a couple of our vulnerable machines, running unpatched versions of IIS 4 and IIS 5. These machines were hosting web sites which were available to anyone on the net, and were administered by people who did not monitor vulnerabilities or patches at all. Using the service Redirection and application proxies of the raptor firewall however, seemed to prevent any of the traffic from affecting those boxes at all. Partly it was because the http application proxy denies access to any request which violates rfc prescribed standards, and partly it was because of some other, less obvious or describable reasons. If I can come up with enough time to go back over my notes and conclusions about this, I will post more info on this tomorow, or the next day.

On the bad side, Raptor Firewall V 6.5(at least this one, and probably other versions as well) has some issues with running a DNS service or passing the port 53 UDP of TCP traffic in order to run a dns server behind the raptor firewall. Perhaps I am just missing something, but everytime I attempt to set the firewall up to pass DNS request traffic from the outside to DNS servers in our DMZ, the firewall becomes extremely sluggish, or simply hangs itself and needs to be rebooted, or even, disconnected from the network, restarted, change the rules, and then reconnected to the network. This happens to me, regardless of whether or not I am running the DNS daemon which comes packaged as part of the Raptor Firewall.

Anyway, it is time for me to get some sleep.

Maybe someone here has seen this behavior before and has an idea for me, or perhaps I am just totally missing something, or, at the very least, someone else will be forewarned about a potential issue with running the raptor firewall.

Bottom line for me though, is. I LOVE it. Raptor Firewall 6.5 has, overall, been nothing but a good thing for us. Though we did have one other issue, while trying to set up a VPN with another site, which happened to be running checkpoint FW-1. We did manage to get it working, but it took a great deal of work and communication between myself and the checkpoint admin on the other end to make it work. Because of each of our familiarity with the different systems, it was almost as if we were speaking different languages some times. We did manage to figure out what setting names corresponded with which other setting names, though, and also, which settings were completely incompatible for a working VPN.

Good Luck,

IchNiSan

Checkpoint FW-1 is the most used firewall. It also however has more exploits than I've had bowel movements.

The only enterprise firewall that I put my trust in is Sunscreen. However there are some caveats.


One- It costs a bundle and the hardware it runs on costs some serious moolah.

Two- You really need to know your stuff about Solaris and networking tog et the most out of it.

and Three- Don't... but don't harden the OS until you're absolutely sure you're done configuring the system.. you can't go back once you harden the OS.

On the other hand the new IOS of PIX is supposed to be pretty good. So if you're gonna go for the low-end I'd say get a couple of PIXs.

Just my two cents!

any opinions on watchguard fireboxes...the 700 got some good press in price/protection

One question is - does anyone know how good a cisco 3300 vpnc works with ckpw FW1? considering that vs rsa vpn ..


thks

start a new thread for that question. It's kinda hidden here...

Has anyone ever had any negative experiences with SonicWall Firewalls? I had to install and configure one for a company once because it was what they insisted on using. So I got it up and running for them but I really did not know if that was their best choice or not. It seems secure from what I can tell. Kind of nice that it is a dedicated external piece of hardware as well.

Thought that I would put my 2 cents worth....

I am familiar with Checkpoint, as well as the intrusion appliance firewalls.

I have never set up from scratch a Checkpoint firewall, although I do administrer the rules, and if you are expecting a large ruleset, it can be difficult to locate specific rules. The logs are excellent for troubleshooting. I believe that CP NG does have a lot more features than it previous version.

The appliance firewalls are quite easy to set up, and are for about 50 or so users with a T1 connection.

I have heard that Sonic firewalls do not have remote administration, is that true?

First of all, lets get this straight...50 users with a T-1 is NOT an enterprise network.

Checkpoint however is a very good firewall. I am currently working for a client that has over 150 Checkpoint firewalls enterprise wide throughout the world. They are currently using ver 4.1 on Nokia IP 650 appliances and Solaris management console.

Checkpoint has a much "prettier" interface than the Cisco PIX, and it is much easier to use for most people.

So i guess it really depends on the application. If it is a smaller network (less than 1000 nodes) and there is no need to manage multiple firewalls or firewall domains, and there will not be an extrememely large rulebase, I would definately recommend a Cisco PIX, otherwise if you can afford it of course, go Checkpoint. Both will do the job, the PIX will be cheaper. Symantec (Raptor) is also a very nice firewall. It has one feature that the others don't. It can proxy. This may or may not be a good thing, depends on the situation. One thing to be careful of is that Raptor (Raptor is shorter than Symantec Enterprise Firewall in case u are wondering) cannot do failover/load balancing without a third party product.

Hope this helps.

Hello all from what i can gather Checkpoints fw-1 has security holes like any other product ,because its the most common ,just like ("gulp") Microsoft.Usually the most popular products get the most scrutiny so thats that . A good place for info on firewall 1 is www.phoneboy.com. As far as other products I personally like the watch gaurd firebox 2 I think it does an excellent job of nat and dynamic packet filtering, Cisco pix has an awesome statefull inspection engine. I am partial to hardware based firewalls because of there , great encryption acceleration .

well thats my one and one half cents.



E.W. Pacheco

My SonicWall hasn't let me down yet. Well, except for a bad jack, just had to a take a pair of pliers to it.

Here i will post some sites with firewalls and there faq,s



Checkpoint www.phoneboy.com
watchgaurd www.watchgaurd.com
Cisco pix vs fw-1 www.roble.com/docs/fw1_or_pix.html
linux based freesco www.freesco.org
information security books for free http://www.secinf.net/
secure point linux http://www.securepoint.cc


hope that helps

words of the day "We all must share knowledge in a positive way not ridiculing each other remeber galileo".


EvIl

Let me tell you guys a little something about watchguard.....

IT SUCKS!!

Sure it has a decent interface, it is pretty easy to use and it is secure (at least as secure as the admin makes it), but EVERY time you make a configurration change, the Firebox needs to reboot. Now this might be OK in a very small environment, but try to do it on a bigger network when someone "needs" a change done immediately, but you first have to tell everyone that the firewall will be down for a while while it reboots. Also, Watchguard tech support sucks. I once called them with a network down emergency, and I was forced to leave a messge describing the problem on an answering machine, and an engineer would get back to me in four hours. Now I do not know how many of you have ever worked on a corporate network, but try explaining to your boss and everyone else that the Internet will be down for at least four hours while you are waiting for a call back from tech support, who you never even actually talked to, just left a message. I have been forced to call them several times with the same problem each time, and I will let you know now that my fastest resolution time was about 3 hours, with the longest being 2 days, and it took 9 hours for someone to get back to me.

So bottom line....Watchguard is NOT an Enterprise Firewall.

BTW...Checkpoint did have some minor vulerabilities, but what products don't. The Checkpoint vulnerabilities were very minor. Also , Checkpoint tech support is nothing special either, but it is much better than Watchguard.

Cisco is a great firewall and tech support is second to none. There is no tech support better than cisco as far as I am concerned.

Sonicwall...again not a bad small firewall, but NOT an enterprise level firewall at all.

I have been working with firewall almost constantly for about the last five years, it is my job, so trust me, I know. All of these firewalls have their place, just make sure you choose the right one for the right situation.

Oh...and if you truly want a good firewall. Try IPF on *BSD. Very easy to use and extremely powerful.

Some people are afraid of *nix firewalls though.

Originally posted by iNViCTuS
Oh...and if you truly want a good firewall. Try IPF on *BSD. Very easy to use and extremely powerful.

Some people are afraid of *nix firewalls though.

Some people are afraid of the dark but that doesn't mean you should stay inside at night.

And Checkpoint has more than a few vulnerabilities, my friends. Do your homework.

OK...please tell me a major vulnerability that has ever been discovered in a Checkpoint firewall. Big deal, a DoS here or there or maybe a malformed packet vulnerability. A firewall is more about the firewall admin than it is the type of firewall.

EVERYTHING has vulnerabilities...only the big players get scrutinized for every vulnerability that is uncovered (i.e. Microsoft, checkpoint, etc) That is why it is important to apply patches and updates. Of course an unmanaged firewall is useless to begin with.

I have been working with Checkpoint firewalls for a long time, so believe me, I have done my homework.

And as far as a Unix firewall is concerned, you cannot easily manage multiple firewalls within a single interface like you can with Checkpoint or Cisco. So that is what I meant by being afraid of them. Many organizations do not have the in-house talent to manage IPF, IPTABLES, IPCHAINS, etc. We know it is not that difficult, but many organizations still do not trust these types of applications because they are not highly publicized.

IMHO, NOTHING...I repeat...NOTHING...compares to the reliability of Zone Alarm Pro for a software firewall! Ease of installation, ease of configuration...and back it up with a hardware firebox, and it's almost unbeatable! Zone Alarm Pro sells for roughly 40 US dollars per license...for its price, come on, friends!!??

yeah...maybe you are right...I should suggest that to my company.

100,000 users X $40/users
plus another few thousand for a firebox II
----------------------------------------------------------
= only just over $4 million

What the hell was I thinking...that is definately the way to go ;)

A good firewall is only as good as its admin and ability to recognize attack signatures and react to them ,oh yeah bleeding network traffic to the internet would be good as well
all that i have mentioned are configuration based most firewall products do this , i am not against unix i love it as for using it as a firewall we must get out of the new jack hacker way of thinking just because its harder does not mean its better,most people want to use a simplistic product like checkpoint firewall 1 with a gui not many people who buy firewalls buy ipchains firewalls although its cool to know i have never seen ipchains implemented in an enterprise environment, i have rarely seen open bsd based firewall implemented why? because of ease of use .

Lets all grow up and think of the essentials "Bruce lee"

Originally posted by iNViCTuS
Let me tell you guys a little something about watchguard.....

IT SUCKS!!

Sure it has a decent interface, it is pretty easy to use and it is secure (at least as secure as the admin makes it), but EVERY time you make a configurration change, the Firebox needs to reboot. Now this might be OK in a very small environment, but try to do it on a bigger network when someone "needs" a change done immediately, but you first have to tell everyone that the firewall will be down for a while while it reboots. Also, Watchguard tech support sucks. I once called them with a network down emergency, and I was forced to leave a messge describing the problem on an answering machine, and an engineer would get back to me in four hours. Now I do not know how many of you have ever worked on a corporate network, but try explaining to your boss and everyone else that the Internet will be down for at least four hours while you are waiting for a call back from tech support, who you never even actually talked to, just left a message. I have been forced to call them several times with the same problem each time, and I will let you know now that my fastest resolution time was about 3 hours, with the longest being 2 days, and it took 9 hours for someone to get back to me.

So bottom line....Watchguard is NOT an Enterprise Firewall.

We just got a new Watchguard Firebox to replace our previous firewall. I've been busy setting it up and adjusting it as I find problems. So far, I've only had to reboot it twice in over 25 changes. I can't agree with you on the part about "EVERY time you make a .....change....needs to reboot". Additionally, reboots don't seem to take more than a minute (although I haven't timed one). I don't think anyone even noticed.

Now, I can't comment on it being an Enterprice firewall, as we only have about 20 users.

Security wise.... it's only as secure as the admin.... let's hope I do/did a good job.

posted by EvIl eLf
A good firewall is only as good as its admin and ability to recognize attack signatures and react to them ,oh yeah bleeding network traffic to the internet would be good as well


firewall is as solid as the rules setup by its admin. balancing the vulnerability of the firewall and its ease of use, like setting up complex rules, is important. also find out other users comments on the tech support provided by the vendor.

rgds
de

Hello all.
Is someone use Gauntlet anymore?
any comments are wellcome.


--- I sleep well, sleep i well future?

Nice revue on Raptor IchNi... I'll have to check it out

I've had good luck with Cisco's PIX (well the classic PIX suck) but the interface is just klunky... as stated above!

Netscreen makes a good strong product for a hardware firewall as well, I've put in quite a few of em and had excellent luck with them. I like their VPN ability and the interface is almost too friendly (ok it is too friendly)

And of course for a mid sized network (not home, but not quite enterprise) a Cobalt system like the Qube II or Qube III is quite cost efficient and will most likely do, they also make great small to mid company mail and web servers... (DNS too even....) I used to have a Qube II sitting on my John at home serving as a firewall and providing DNS services (why the john... because I could!!)

I've heard mixed reviews on checkpoint, and I've never had the chance to play with it so I cant say much in that direction.

I suppose in all reality the differences in what firewall you use (so long as it offers ample configuration options) doesnt really matter as much as how you use it.

~THEJRC~

I have been checking out several firewall products i like the sofa box
www.s-box.com , this is a checkpoint small office product that includes the statefull inspection engine , with a built in ids sytem for $300. This box is awesome from what i see it seems to be a simpler way to filter sites add rulesets and filter traffic .The sofabox as it is called is Opsec compliant meaning a Box running checkpoint will be able to modify rulesets.
essentially s-box is a modified version of bsd with checkpoint on it .Yet another great product is trend micro's secure point which is a firewall linux os the can connect ot windows based management stations it has a built in vpn and virus wall for personal use it is free i dont have any specifics on the price it also uses staefull inspection . A good one for the home dsl /cable modem user is LRP linux router project Freesco at www.freesco.org it uses a dynamic packet filtering engine and a great web interface plus it fits on a floppy will run on a system with a 66mhz processor and 16 mb of ram and no hard rive yes no hard drive this of course is freeware.

PeAcE

Originally posted by iNViCTuS
OK...please tell me a major vulnerability that has ever been discovered in a Checkpoint firewall. Big deal, a DoS here or there or maybe a malformed packet vulnerability. A firewall is more about the firewall admin than it is the type of firewall.

EVERYTHING has vulnerabilities...only the big players get scrutinized for every vulnerability that is uncovered (i.e. Microsoft, checkpoint, etc) That is why it is important to apply patches and updates. Of course an unmanaged firewall is useless to begin with.

I have been working with Checkpoint firewalls for a long time, so believe me, I have done my homework.

And as far as a Unix firewall is concerned, you cannot easily manage multiple firewalls within a single interface like you can with Checkpoint or Cisco. So that is what I meant by being afraid of them. Many organizations do not have the in-house talent to manage IPF, IPTABLES, IPCHAINS, etc. We know it is not that difficult, but many organizations still do not trust these types of applications because they are not highly publicized.


Hell Yea, Since when was a CP so bad DeathKorp?

I have worked for CP since it had version 3.0 and until this very-day, I have NOT seen anything reported as a CP vuln. that wasn't actually gay administration.

Let me name the three major problems found in CP,

1. ACK DoS
2. w32 GUI buffer overflow
3. RDP VPN issue.

Let's start one by one

1. The Ack Dos,

Have you ever touched a CP box? as in EVER in your life did so? well if you have, you'd probably know that CP uses a language for it's FW called INSPECT, even befor CP released its fix or befor I read Lance Spitzner's FW-1 state paper, I knew that CP doesn't maintain state by TCP flags, and that ACK packets could pass and get compared to the rulebase. So, simply I didn't sit beside my FW and start crying, I wrote a simple INSPECT script that checks the packets flag, records it to a value in the conenctions table and compares the next packets to it, the idea is simple. SYN =1, SYN/ACK = 2, ACK = 3.

Here is the logic

if (syn) {record <conn;1> in connections, accept};
if (syn, ack) {set sr1 connections[conn],
if (sr1 != 1) {vanish} or record <conn;2> in connections, accept};
if (ack) {set sr1 connections[conn],
if (sr1 !=2) {vanish} or record <conn> in connections, accept};

Simple, eih?

2. Did you read the advisory? It says that the vuln, just stops the FW from loading the correct policy, do you know what does that mean? it will default to the defaultfilter.pf that comes with it. So, why not smart-ass yourself and just change defaultfilter.pf to some good policy that you could consider as a back-up plan?

3. The RDP VPN issue, well, from CP's info they have ignored fixing this problem for quite a while, reason?, cuz it's only in their FWZ encapsulation scheme and it just uses 46-bit keys <heh, since when was 46-bits any secure for a VPN network?> and with the current growth of Cryptographic standards like AES and 3DES FWZ is useless unless in small situations like SecuRemote wich now has an IKE option.


In other words, if your saying CP is bullshit, I think you REALLY have to go and learn this befor you talk about it.


Sincerly,
someone that's ****ed-up from ppl that don't wann ahire an under-15 yr. old kid.
etsh911

Here you go. I'm glad to see that none of you can use google to search for vulnerabilities in state full inspection engines, so here's one. If you want to find out more specific information ask someone from the NSA to send you their test results. Yeah right.

http://cutter.com/itgroup/reports/deploying.html

Read this and then go do your homework.

So where are you now?


Installing a new firewall?

hehehehe........... j/k

I read this article, and nowhere does it state specific Checkpoint vulnerabilities!! Plus it is written by a consultant who is full of BS and is trying to scare people into using their services.

The vulnerabilities that mrwall stated are the main vulnerabilities found in Checkpoint's firewall. Here is a link to all of them:

http://www.checkpoint.com/techsupport/alerts/

If you read these, nothing serious is due to a weakness in the Checkpoint, rather the underlying OS or poor administration. Everything mrwall said is exactly right.

but anyway...mrwall (etsh911) why don't you list your qualifications if possible so people don't think you are full of $hit.

http://foundstone.com/company/george_kurtz.html ......lol ;)

BTW...KorpDeath...I am giving you some antipoints because I like the fact that we can have a good old fashioned argument in a diplomatic manner.

Well that's cool.


I'm sorry I can't get more specific about the vulnerabilties, you see, the company I work for has a partnership w/ Checkpoint, so my hands are tied, so to speak.

I could refer you to many more articles but I'm sure you guys know how to find them.

And the last people I would believe would be the company that makees the firewall(checkpoint), they are infamous for not revealing a problem until after they attempt to fix it.

You really need to find a no-biased look at it.

I think this brings us back to something we all know and have said a thousand times:

It's not so much the firewall as it is the person who configures it. Vulnerabilities can be found in anything. Checkpoint gets more recognition unfortunately because they are so popular in this space. My company also is partnered with checkpoint, and I am sure mrwall's is too. So I know how you feel. But when it comes down to the bottom line. I would feel comfortable deploying Checkpoint in just about any environment, and I sure you would probably agree.

Thanks for the arguments though...it was fun. I am waiting for another topic that we can tear apart now....;)

Your hands are tied?

So what? I work for an OPSEC partner and we developed alot of shit. Plus, check my posts on the firewall-1 wizards list hosted by phoneboy, it prooves that I DO know what I'm talking about, unlike what you said in your AntiPoint.

I'm not saying that CP just says "hey, here's an unfixed vulerabilioty", I have passed by a few that were not fixed, so? is this like saying "those BH2001 vuln.s were really bad"? those were BULLSHIT. Would you please at least note something wrong of what I said?

Also, would you mind helping us find those un-fixed-vulns-of-CP?

Well, O Well, are you arguing some gay paper like http://www.avolio.com/apgw+spf.html ? I think that is the most ridiculous paper I ever read, In his paper, he considers CP's limit in not-looking at the packet's content, and what does Phoneboy's HTTP stateful inspection script do? what si the TCPDATA parameter in INSPECT used for? May you tell me?

Name something that is not an admin.s fault.

Also, if you were realy working a partner in the OPSEC alliance, how are you arguing CP? at least name one problem that has appeared in CP and wasn't foxed.

I have read that paper that you linked to, and I completely agree with Invicutus, this is BS and has nothing related to CP.

Also, in your AP you said that you have used CP for 3yrs, may I ask what do you know about NG's engine? it has completely changed from the old FW-1 one.

if you wanted to complete this post in a decent way, plz do, point-us to some CP vuln. or a real problem with CP's engine, or just ask a moderator to remove it.

Invictus (or however you spell it :)) : I'm not sharing any qualifications at all in here, I know who I am, and alot of people have agreed on my knowlegde and I think that by a simple browse of the fw1-wizards list you would see how I simplified alot of stuff.

etsh911

Originally posted by mrwall


Invictus (or however you spell it :)) : I'm not sharing any qualifications at all in here, I know who I am, and alot of people have agreed on my knowlegde and I think that by a simple browse of the fw1-wizards list you would see how I simplified alot of stuff.

etsh911

I know....i was just being sarcastic. anyone who has been around security and has read security newsgroups for any amount of time knows that you are not full of $hit. In fact I have, and I am sure many people have learned alot from you sharing your knowledge.

I also know that your knowledge goes way beyond the realm of Checkpoint. I really think you should write a book sometime ;)

BTW...you might have known me previously as c4rp3dm. But anyway...thanks etsh911 for all the help knowledge you provide to all of us...it is much appreciated. And it is nice to have you as a member of this forum.

I do have a question for you...but I will post it in a different thread..

Hey Invictus, I just read your pvt. msg. I think your mistakening me for someone else.

Actually, I have found alot of ppl talk about it :). Someone did use my nickname <or something near to it> on irc.box.sk and claimed he was George Kurtz <wich probably is the reason why you dropped that link> if that guy is still there, would you tell me when does he drop-by? I would like to know who it is.


And thanks for your trust ;)

etsh911

Ahhh...ok....that makes much more sense now. That is probably what happened...cuz I used to read all your newsgroup posts, and then when the 'fake' etsh911 came along...things didn't seem to match up and something seemed a little strange.

But I do appreciate all 'your' help on the wizards list. You have helped me with a lot of problems. I did post another question for you in this forum...check it out and see if you can help.

Don't you hate those imposters.

Thanks,

Hey, wich name do u go by on the List? and when did I help? :)

I rule, don't I? :)

BTW, I answered your Q, check it out,

Hope I helped,
etsh911

These aren't relevant anymore?

1. One-way Connection Enforcement Bypass
2. Improper stderr Handling for RSH/REXEC
3. FTP Connection Enforcement Bypass
4. Retransmission of Encapsulated Packets
5. FWA1 Authentication Mechanism Hole
6. OPSEC Authentication Spoof
7. S/Key Password Authentication Brute Force Vulnerability
8. GetKey Buffer Overflow


And when did I say anything about OPSEC?


And in case you didn't read it in the previous posts I think CP-1 isn't as good as it could be. For instance we ran it in a couple of switches and it could barely deal with a full T-1 worth of traffic. Crashed all the time, Unloaded policies spontaneously, the only good thing Ithink it did by crashing was to crash closed instead of open.


Hey OSHA just informed me that if more than one person is going ride my a$$ then I need to install hand rails and safety straps.

What got you so pissed off? Are you an engineer for CP or what? As one of my coleagues put it "sheesh".

CP-1? what product is that? I know of FW-1 and VPN-1 but not of CP-1, maybe it is something I havent' come across, well did you just copy those off the Alerts link? those are NOT attacks that I get afraid of. CP jsut posts fixes using INSPECT and any self-respecting admin should go out and learn INSPECT befor he tries to use CP in a good way, and since I do know INSPECT I try my best to look at those config files, and by the time one of those vulns are reported I already have a fix for it even befor CP releases it's own fix.


What would make CP systems crash? I use both Nokia appliances and SPARC powered servers for my CP installs <lately I added Debian to the list> and they never crashed, plus, if it DID crash, then I think u took some illegal way, CP's list of aplpiances says the recommended speed for each box, and I have had CP on dualt T3 lines without problems at all, actually I also know of ppl that got it on really higher speeds.

About un-expected policy unloads is that was not documented anywhere, probably cuz u got policy conflicts? did someone try to mess with CP's config files? CP sometimes has to call functions defind in kerntabs.h, otherwise if your install was on a Linux other than the suggested kernels or a patched/un-offical one, like NSA's or has some weird patch, then probably it is the reason.

and BTW, yea, I am an engineer for CP <an OPSEC partner actually, not CP itself> and when you talked about un-disclosed vuln.s I thought of BS.

Yet, we do have reported issues :\, but look at the bright side, they aren't serious :)

Ciaz,
etsh911

I'm glad you cleared it all up for me. My mistake, Checkpoint FW-1 is god, your right.

I'm still using Sunscreen though, although you almost converted me.............

lol, I'm not about converting people, and convincing ppl what is right and what is wrong, I do not have anything against anybody, I just have knowlege to keep me alive :).

Just think of it, could SunScreen provide anything that CP didn't?
All those Security Servers, nice VPN solution, easy mangemnt, etc..

hehehehehe, you should turn back :-)

Enjoy!
etsh911

Then would you mind not neg'ing me for EVERY single comment I've made? It's really not necessary. Thanks in advance.

Originally posted by mrwall
Thanks,

Hey, wich name do u go by on the List? and when did I help? :)

I rule, don't I? :)

BTW, I answered your Q, check it out,

Hope I helped,
etsh911

I went by the same name for the most part but have had many other names that I used to use way back (c4rp3dm, VOeyeP, and more....lol) It has been a while since I have posted there, so I don't remember specifically what problems you have helped me with.

I use the wizards more as a reference in case I forget something...I am good enough with Checkpoint now to work through many of the problems I come across. But don't worrk...I am still keeping an eye out ;)

and yes you do rule :o

lol,

NP guys, so, time to put this thread to an end :)

Start a new one :0

Yours,
etsh911

Originally posted by mrwall
those are NOT attacks that I get afraid of.
But they are vulnerabilities none the less.


Originally posted by mrwall
and BTW, yea, I am an engineer for CP <an OPSEC partner actually, not CP itself> and when you talked about un-disclosed vuln.s I thought of BS.

I did not mean to insult your life's work. Really.

Originally posted by mrwall
Yet, we do have reported issues :\, but look at the bright side, they aren't serious :)

Ciaz,
etsh911

What would you consider "not serious"? just curious.....

Originally posted by KorpDeath
I'm glad you cleared it all up for me. My mistake, Checkpoint FW-1 is god, your right.

I'm still using Sunscreen though, although you almost converted me.............

It's really too bad that Sunscreen is going away soon though. I think it is gonna be EOL'd in a couple of weeks. I've got some inside information....and it is from a pretty reliable source.

Originally posted by iNViCTuS


It's really too bad that Sunscreen is going away soon though. I think it is gonna be EOL'd in a couple of weeks. I've got some inside information....and it is from a pretty reliable source.

That really does suck because the product is as solid as products get. I've been hoping someone will by the rights and do more with it cause it's certainly deserves more than the shelf. Know what I mean?

One hint for those using Checkpoint installed on Nokia devices...Keep away from automatic translation rules or keep them to a max of 30. Anymore than that will put a great strain on the system.
Plan your DMZ routes and use multihomed web servers within the DMZ with two physical networks.
Inbound and secure lan traffic.
Use a distributed environment only.
Do not install VPN policy server object on the management station. Use the Nokia for that.

Keep up with patches for IPSO and FW1.

wilber is right...you do not want to use automatic NAT rules if you can avoid it. Just do them manually...it is much easier anyway. As far as the dual-homed idea for the web servers though...I don't know about that. Why would you want to connect your web servers directly to the private LAN. IMHO, not a good idea. If you need a database connection from the web servers to the LAN or something like that...consider adding another firewall to create a multilayered environment. The reason I would not add the second NIC connected to my LAN is because if that host is compromised, the attacker now also has a direct connection to the LAN. This completely negates the purpose of having a DMZ.

Too true. Multi-homed DMZ boxes is NOT a good idea.

KorpDeath you seem to have knowldege on this area but one problem you seem to be stuck on vunrabilites everything has vunrabilites so just cause it has a vunrability is no reason to stop using it that would be like not eating some canned food cause the tine was dentead now thats just silly ins it so well thats my 2 cencts

the only reason I would see for a multi homed dmz box is for a control channel NOT leading the inside lan. ;) That's why I do it anyway.

About the auto trans rules - totally agree. They have always given me problems so I do all manually. What's most amusing is when I''ve got a ckp eng over for some work and I have to explain them all. :D

KorpDeath you seem to have knowldege on this area but one problem you seem to be stuck on vunrabilites everything has vunrabilites so just cause it has a vunrability is no reason to stop using it that would be like not eating some canned food cause the tine was dentead now thats just silly ins it so well thats my 2 cencts



Well, in this case, it's not necessarily a vulnerability but when you have multi-homed DMZs, you have more than one point of entry. This in turn is more of a strain when sifting through connection logs, system logs, etc. At least, that's my interpretation.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=139870#post454933) by Vorlin


Well, in this case, it's not necessarily a vulnerability but when you have multi-homed DMZs, you have more than one point of entry. This in turn is more of a strain when sifting through connection logs, system logs, etc. At least, that's my interpretation.

Thanks for clearing that up, Vorlin.

RiOtEr- What should I be pointing if not the vulnerabilities? My mistake, this site is about under water basket weaving. My mistake, I'll try to keep on track next time.

Under water basket weaving? :rofl:

Man that's choice. KorpDeath you're good today. Of course, you are right about pointing out this and Vorlin nicely spoke about that.

In general you have to watch multihomed hosts as the issues grow with each network they are on.

And putting a box in your DMZ that has a direct connection to your LAN is a bad bad bad idea. If that box is compromised then the soft center of your network is exposed to a harsh reality.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=139870#post447596) by iNViCTuS
I think this brings us back to something we all know and have said a thousand times:

It's not so much the firewall as it is the person who configures it. Vulnerabilities can be found in anything. Checkpoint gets more recognition unfortunately because they are so popular in this space. My company also is partnered with checkpoint, and I am sure mrwall's is too. So I know how you feel. But when it comes down to the bottom line. I would feel comfortable deploying Checkpoint in just about any environment, and I sure you would probably agree.

To a certain extent the admin is responsible, but there is a point where the software itself has to take some of the blame. If the company has written a piece of software that is rife with overflowable buffers, then IMO the admin is not 100% to blame, except for maybe deploying the software. In this case, with firewalls, I did a quick search at google for checkpoint firewall-1 vulnerabilities and it came up with a few hits, among them I grabbed these:

http://ciac.llnl.gov/ciac/bulletins/k-073.shtml - Discusses several vulnerabilities in CPFW-1
http://www.securityfocus.com/bid/1890 - CPFW-1 spits out valid usernames, aiding in a bruteforce of passwords.
http://www.geocrawler.com/archives/3/90/2000/7/0/4121477/ More discussion on the CPFW-1 vulnerabilities.

I have never used CPFW-1, so I don't know the specifics of it, but from reading over the vulnerabilities, it seems that the software itself is at fault about half the time. That's more than unacceptable in my view. A firewall should come configured protected against these things out of the box. Allowing anyone from any IP address to try and remote admin this firewall doesn't seem like a secure policy to me.

Granted, that could be fixed with some configuration, is not the point behind a firewall to secure a network. How secure is it if the out-of-the-box configuration is totally open?

valid points chsh. I would like to point out that almost all off the shelf software ships currently with many things "open". Maybe they need to ship it with things closed and leave it to the admin to open it up.

Sometimes it has to be open just to get it configured, then after you configure it it's your responsibility to close all that is open. There should, of course, be documentation to tell you what exactly is open but nonetheless....it's up to the admin to lock up after he leaves for the night (so to speak)........

Still can't say I agree with you. Of course the software vendor should not release software with vulnerabilities, BUT no matter what you do, vulnerabilities can always be discovered. It is at this point where the security admin needs to take some responsibility and do it himself. After all that is what we are getting paid the big bucks for right? If no vulnerabilities existed, security admins no loger have jobs. NOTHING IS PERFECT!!!

The problem is that once something happens, it is very easy to point the finger at the next guy, when the fact is if you weren't so damn lazy in the first place, you probably wouldn't have a problem. Are we all going to stop using Microsoft because it is so insecure...of course not.

And...NONE of the Checkpoint vulnerabilities were ever anything serious, and those who know Checkpoint will agree with me on that.

OK, now is this thread ever gonna end? I'm really sick of hearing shit from someone un-educated ppl <not you invictus :p>.

Chsh : if yopu haven't ever used CP why are you arguing it? what sort of basis do you have to argue this on?

The default policies are just used when there is no policy installed on the FW module. Even those could be changed as mentioned earlier or as in defaultfilter.pf in phoneboy's book (Appendix F).

Also, if your using the GUI to create your rulebase, #include fwui_trail.def is added to the end, the file has on sole purpose "DROP whatever reaches it" ius that open by default? CP's only open ports are all stated in the Implied_Rules and NOWHERE ELSE.

That's it for Chsh, plus, jerald josephs is moderator on the fw1-wiz list, and Regional manager of nokia telecomunications in da east cost of the USA. The guys experience is only limited to his appliance <Nokia's IP series> and VPNs. He has mentioned no vulnerabilities in his post. the problems demonstrated at BH could be found on Phoneboy's site under Docs. Yet, as you see those problems are all mistakes by the ADMINs and not cause of CP.


Also, the vuln, u named for brute-forcing FW-1's userdatabase was also reported on VPN-1, it just returns "wrong pwd" for valid accounts and "unknown user" for invfalid accounts.

BTW, whom said that it is manageable from everywhere as you <or whomever did> claim? CP doesn't allow administration except from the specified mangement console and even the mangement console only allows the gui-clients to connect wich are also specified.

How on earth would CP be a best seller if evernone could jkust find a problem with it? I have came accross a numbner of problems but they were all just Admin's-fault no more.

That's it for me on the boards, I'm not here until I find something else really interesting.

Invictus : I completely agree with you <and you know that I know CP from phone's list :)> and about Focmaester's Q, I agree with you on the un-configured point, but CP does accept the con.. cause VRPP is used in HA and when the FW is *not* runing in HA it just thinks there is NO HOST to sync with, not that it isn't in HA mode. The only way to correct this and have all packets with src_ip and dst_ip of vrrp.mcast.net <224.0.0.0> denied ios to remove the "sync" flag from your tables. Also, it was me who asked Foc to post that Q :)

Thanks,
Invictus : Enjoy your life,
Others : come-up with something important and really good befor you think of replying.

etsh911

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=139870#post455501) by mrwall
OK, now is this thread ever gonna end? I'm really sick of hearing shit from someone un-educated ppl <not you invictus :p>.

Chsh : if yopu haven't ever used CP why are you arguing it? what sort of basis do you have to argue this on?

Well, my knowledge of good software security practices for starters...

The default policies are just used when there is no policy installed on the FW module. Even those could be changed as mentioned earlier or as in defaultfilter.pf in phoneboy's book (Appendix F).

Also, if your using the GUI to create your rulebase, #include fwui_trail.def is added to the end, the file has on sole purpose "DROP whatever reaches it" ius that open by default? CP's only open ports are all stated in the Implied_Rules and NOWHERE ELSE.

That's it for Chsh, plus, jerald josephs is moderator on the fw1-wiz list, and Regional manager of nokia telecomunications in da east cost of the USA. The guys experience is only limited to his appliance <Nokia's IP series> and VPNs. He has mentioned no vulnerabilities in his post. the problems demonstrated at BH could be found on Phoneboy's site under Docs. Yet, as you see those problems are all mistakes by the ADMINs and not cause of CP.

Etsh, none of what I was saying was laying blame solely on CPFW-1. As I said, the caveat to my post was that I haven't had any experience directly with FW-1. I based my comments on my understanding of what was written at those sites, and my understanding of how secure software works.
What I'd tried to put forth was he concept that the Admin is not always 100% to blame. It can vary from software co. to software co. Look at Microsoft. I'm certain there have been admins bitten by various bugs because of faulty or nonexistant patches to IIS, and not because they haven't tried patching their systems. It happens, face it.

Also, the vuln, u named for brute-forcing FW-1's userdatabase was also reported on VPN-1, it just returns "wrong pwd" for valid accounts and "unknown user" for invfalid accounts.

Correct. Your system is less secure from the standpoint that now that someone has a valid user account and they can then go about bruteforcing that user account. This kind of disclosure only helps someone attempting to break into a system.

BTW, whom said that it is manageable from everywhere as you <or whomever did> claim? CP doesn't allow administration except from the specified mangement console and even the mangement console only allows the gui-clients to connect wich are also specified.

http://www.safermag.com/html/safer21/alerts/04.html - On solaris CPFW-1 rlogin listens on all available NICs.

By the by, I wasn't trying to come off as trashing something I don't know much about, and I apologize if I did. I was merely pointing out that it's all fine and dandy to blame then admin when it is the admin's fault, but some of this stuff is IN SOFTWARE. I happen to agree with gold eagle that it makes the admin's life a little more difficult if they've got to go through and disable a bunch of extra crap. IMO, servers and firewalls should come with everything OFF by default (RedHat's learning this lesson, as I've noticed that certain things have to be enabled unless you specify them to load at boot during installation), and then the admin can do his/her job and configure it the way it should be configured.

I completely agree that one should blame the admin when it's the admin's fault, but if it's a software problem, then lay the blame where it should: on the software. Implementing work-arounds is not a good fix for things. It should be temporary until the software can be updated to remove any problems.

How on earth would CP be a best seller if evernone could jkust find a problem with it? I have came accross a numbner of problems but they were all just Admin's-fault no more.

Hahahahaha. You think problems have anything to do with it? You're seriously deluded there etsh! Look at IIS. It's got bucketloads of problems, but a LOT of people still use it because it's simpler to configure than Apache. You personally may not be the kind of guy who will succumb to these kinds of problems, but by having stuff accessible, they complete neophyte firewall guy will be the one hurt by this.
Whether you like it or not, if it's easy enough to use, companies will buy it and will hire an idiot to run it. "It can't be complicated or hard because there's a GUI" seems to be how a lot of people think. They're flat out wrong, and it's damn time companies out there started realising this and implemented better default configurations.

Others : come-up with something important and really good befor you think of replying.

Your idea of 'really important and good' is obviously different from mine, so you'll have to let me know.